Lessons from the Russian/Georgian cyberwar

One week into the open warfare between Russia and the eastern European country, Georgia, cyberwar rages as intensely as the physical war. Both sides have invested a lot of time and energy into vandalizing web sites, and at many sites, knocking each other off the Internet entirely.

All the data I've seen thus far about who is perpetrating these attacks seems too speculative to trust. So let's set politics aside for the moment, and consider what a motivated network administrator can learn, in case similar levels of hostility are ever pointed at a site you care for.

A researcher who goes by the handle Shadowserver has captured some of the actual code used to knock Georgian government sites offline. As in the cyberattacks on Estonia from April/May 2007, the attackers pulled together a list of target URLs by compiling publicly available records. If your plan for surviving a DDoS attack consists of, "We'll just move examplecompanyURL.com to examplecompanyURL.net," this list might make you think again. Attackers who target you are more clever than attackers attempting a mass, automated exploit. They'll find even the more obscure corners of your domains. Your website survival plan should incorporate URLs that are not publicly related to your organization.

Over on his zdnet blog, Dancho Danchev continues the story by showing how the most devastating attacks have not come from botnets. As with Estonia, resourceful attackers have enticed ordinary computer users to assist in the DDoS by persuading (and instructing) thousands of people to ping target sites.

Back in December, in our first annual "predictions" episode of Radio Free Security, I said this technique would re-emerge in 2008. Though this form of populist hacktivism has occurred only in eastern Europe thus far, it is coming to western Europe and North America -- sooner or later. Masses of people are angry about oil prices doubling and tripling; about mortgage lenders foreclosing on record numbers of housing loans; about all kinds of issues. Everyone under 30 is used to spending a significant portion of every day on line. In short, the conditions are right to spawn a populist, online-based form of protest.

If your organization is related to any kind of issue that can catch fire on a popular level, your Business Continuity Plan should address what to do if traffic beyond the capabilities of even the largest botnets inundates your site. Don't instantly assume your organization flies under the radar. People can get riled up about a lot of issues: animal rights, women's rights, the environment, political elections, controversial media figures. You might figure you're safe from populist ire because you're just a small company that makes cute widgets. If it turns out one of your widget parts comes from, for instance, Tibet, you could find yourself the victim of Chinese hacktivists.

My point is not to raise FUD (fear, uncertainty, doubt). Quite the opposite: by considering this stuff far ahead of when it comes your way, you can have the peace of mind that comes from knowing you're prepared.

So, I recommend bracing yourself today for the kinds of attacks that won't arrive until tomorrow. That's about the only positive thing I can see right now from the conflict in Eastern Europe.